Encryption Keys and the LTO 4 and LTO 5 Tape DrivesThe Dell Encryption Key Manager and its supported tape drives use symmetric,256-bit AES keys to encrypt data. This topic explains what you should know aboutthese keys and certificates.When performing encryption tasks on the LTO 4 or LTO 5 Tape Drives for LTOtape cartridges, Encryption Key Manager uses 256-bit AES symmetric data keysonly.When an LTO 4 or LTO 5 requests a key, Encryption Key Manager uses the aliasspecified for the tape drive. If no alias was specified for the tape drive, an aliasfrom a key group, key alias list, or range of key aliases specified in thesymmetricKeySet configuration property is used. Lacking a specific alias for thetape drive, aliases are selected from the other entities in round robin fashion tobalance the use of keys evenly.The selected alias is associated with a symmetric Data Key (DK) that waspreloaded in the keystore. Encryption Key Manager sends this DK, wrapped witha different key that the tape drive can decrypt, to the LTO 4 or LTO 5 tape drive toencrypt the data. The DK is not transmitted through TCP/IP in the clear. Theselected alias is also converted to an entity called Data Key identifier (DKi), whichis written to tape with the encrypted data. In this way, Encryption Key Managercan use the DKi to identify the correct DK needed to decrypt the data when theLTO 4 or LTO 5 tape is read.The adddrive and moddrive topics in “CLI Commands” on page 5-7 show how tospecify an alias for a tape drive. See “Generating Keys and Aliases for Encryptionon LTO 4 and LTO 5” on page 3-9, which includes information on importing keys,exporting keys, and specifying default aliases in the symmetricKeySetconfiguration property. “Creating and Managing Key Groups” on page 3-14 showshow to define a key group and populate it with aliases from your keystore.Figure 2-1 shows how keys are processed for encrypted write operation.1. Tape drive requests key to encrypt tape2. Encryption Key Manager verifies tape device in Drive TableConfigFileKeystoreDriveTableKey Manager1245 73 alias6DK, DKiDKFigure 2-1. LTO 4 or LTO 5 Tape Drive Request for Encryption Write Operation2-4 Dell Encryption Key Mgr User's Guide|||||||